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[Reference] Law , Ethics and 
Responsible Disclosure 


Back to Basic Knowledge Assignment Explanation (https://fhict.instructure.com/courses/12919 


Explanation and overview 


Where Law is about "rules and regulations created by an appropriate authority" [6], ethics is more 
about moral guidelines. A basic guideline on cyber ethics could be:"“Do not do something in 
cyberspace that you would consider wrong or illegal in everyday life”. More concrete ethical cyber 
principles are e.g.: 


e Do not use computers to harm others. 
e Respect the privacy of others. 
e Discuss or complain about illegal or unethical use of computer facilities. 


Responsible Disclosure [3][4][5] is a legal and ethically related business policy that sends a 
message to (white hat) hackers/researchers. The message is that the company 

welcomes information on vulnerabilites in their IT environment, as long as you do not disturb IT 
functionality or abuse confidential information. Sometimes rewards are given to researcher who 
report a vulnerabilty (or a company could also hand out a t-shirt with "I hacked ... and all | got was 
this lousy t-shirt"). 


VERBODEN 
TOEGANG 


ART. 461 WETBOEK 
VAN STRAFRECHT _ 


Cyber crime law defines how hacking is illegal. In the Dutch law it is implemented in the Dutch 
criminal code  _(http://www.ejtn.eu/PageFiles/6533/2014%20seminars/Omsenie 
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/WetboekvanStrafrecht_ENG PV.pdf) [2] (in dutch wetboek van strafrecht 
(http://wetten.overheid.nl/BWBR0001854/2017-03-01) [1]). The first version of the Law on 
Computercrime was implemented in the Dutch criminal code in 1993. Worldwide, the so-called 
Convention on Cybercrime [9] was drawn up by the EU, Japan, the USA, Canada and South- 
Africe. This convention was agreed on in 2001 and is currently ratified by 52 states. In the 
Netherlands the Convention on Cybercrime is implemented in the local law in the Law on 
Computercrime II in 2006. The latest version of the implemented cyber crime laws, which is 
referred to as Law on Computercrime III (Wet Computercriminailiteit III), is in the process of being 
activated. It is accepted by the House of Representatives of the Dutch parliament (de 2e kamer). 
Currently the Senate (de 1e kamer) still has to approve the new law before it can be activated. 
Some controversy still exists about this new law on the e.g. 'hack-back' options for criminal 
investigators. Some examples of (dutch) cyber crime laws: 


e¢ Computer trespassing (computervredebreuk), section (artikel) 138ab in the Dutch criminal 
code 

e Possession, distribution, using or crafting of ‘hacker tools' (section 139d) 

e Hacking public services (section 161sexies) 

e other cyber crime articles in the law are: 138b, 139c, 139e, 161septies, 350a, 350b 


Resources 


1 (https://portal.fhict.nl/Studentenplein/LMC/2223nj/Cyber%20Security/CS4/Toolbox-Ethical- 


Wetboek van Strafrecht, http://wetten.overheid.nl/BWBR0001854/2017-03-01 
(http://wetten.overheid.nl/BWBR0001854/2017-03-01)_ 
2. Dutch criminal code (unofficial english translation), http://www.ejtn.eu/PageFiles 


techniek aan juristen" (Law and Technology explained, in Dutch, Google Translate at least 
gives you some idea about what is being explained) 
4. Responsible disclosure_wikipedia _(https://en.wikipedia.org/wiki/Responsible disclosure) 
5. Guidelines ((https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated- 


vulnerability-disclosure-the-guideline)_ responsible disclosure NCSC 


6. Responsible disclosure guidelines _(https://www.hackerone.com/disclosure-guidelines) 
hackerone 

7. Difference between law and ethics, http://keydifferences.com/difference-between-law-and- 
ethics.html  _(http://keydifferences.com/difference-between-law-and-ethics.html)_ 

8. Cyber ethics, https://en.wikipedia.org/wiki/Cyberethics _(https://en.wikipedia.org 
/wiki/Cyberethics)_ 
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11680081561) 
11. Privacy Matters HD English subtitles _(https://www.youtube.com/watch?v=ytI9wANDX2Y) 


> 


(https:/www.youtube.com/watch?v=ytIIwANDX2Y) 
12. Edward Snowden on the Importance of Privacy (11/10/2016) ((https:/Mwww.youtube.com 
lwatch?v=WRzm7wrk_FA) 


> 


(https://www.youtube.com/watch?v=WRzm7wrk_FA) 
13. Hackers Help. Responsible Disclosure in the Netherlands _(https://www.youtube.com 


[watch?v=vdC YgELCow4) 


> 


(https://www.youtube.com/watch?v=vdCYgELCow4) 
14. https://en.wikipedia.org/wiki/Hacker ethic _(https://en.wikipedia.org/wiki/Hacker_ethic) 
15.  _(https://en.wikipedia.org/wiki/Hacker_ethic) Link to Law & Ethics case: Link 


16. Workshop sheets and some other study materials can be found here. 


Exercise for Basic Level 


e Find a few examples of cyber crime cases (sentences and penalties). If you are a student from 
abroad, find such example cases from your home country. Give a short personal view on your 
chosen examples (do you agree? are you surprised? have been a victim yourself of similar 
cases?) 
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e Describe what you will do if you find a high risk vulnerability, unexpected, in a website or IT- 
infrastructure (after reading the CVD policy  §(https://english.ncsc.nl/publications/publications 


want to make money or make the world a safer place. 
e Find two or three companies and explain the concept of responsible disclosure they have in 
place and compare those companies 


Additional Challenges for Advanced level 


e Search for a court case with a suspect charged with cyber crime offences. How was the 
charge defined by the prosecution. What arguments where given by the defence? How was 
the case ruled by the judge and what arguments where given. 

¢ Compare the local laws in your country, the ethics and the use of responsible disclosure with 
those of another country. Do this with a fellow student from another country, or e.g. all 
nationalities in your (project) group. Describe and evaluate differences. 

e Study the EthicalOS.org Risk zones  ((https://ethicalos.org/wp-content/uploads/2018/08 
/Ethical-OS-Toolkit-2.pdf) and fill in the checklist _(https://ethicalos.org/wp-content/uploads 
/2018/08/EthicalOS Check-List_080618.pdf) for your project. 
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